477 lines
37 KiB
Plaintext
477 lines
37 KiB
Plaintext
Generated by iptables-save v1.8.7 on Wed Nov 22 14:38:03 2023
|
|
*mangle
|
|
:PREROUTING ACCEPT [0:0]
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
:KUBE-KUBELET-CANARY - [0:0]
|
|
:KUBE-PROXY-CANARY - [0:0]
|
|
COMMIT
|
|
# Completed on Wed Nov 22 14:38:03 2023
|
|
# Generated by iptables-save v1.8.7 on Wed Nov 22 14:38:03 2023
|
|
*filter
|
|
:INPUT DROP [3181321:558341228]
|
|
:FORWARD DROP [794:144028]
|
|
:OUTPUT ACCEPT [10001:542005]
|
|
:DOCKER - [0:0]
|
|
:DOCKER-ISOLATION-STAGE-1 - [0:0]
|
|
:DOCKER-ISOLATION-STAGE-2 - [0:0]
|
|
:DOCKER-USER - [0:0]
|
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
|
:KUBE-FIREWALL - [0:0]
|
|
:KUBE-FORWARD - [0:0]
|
|
:KUBE-KUBELET-CANARY - [0:0]
|
|
:KUBE-NODEPORTS - [0:0]
|
|
:KUBE-PROXY-CANARY - [0:0]
|
|
:KUBE-SERVICES - [0:0]
|
|
:ufw-after-forward - [0:0]
|
|
:ufw-after-input - [0:0]
|
|
:ufw-after-logging-forward - [0:0]
|
|
:ufw-after-logging-input - [0:0]
|
|
:ufw-after-logging-output - [0:0]
|
|
:ufw-after-output - [0:0]
|
|
:ufw-before-forward - [0:0]
|
|
:ufw-before-input - [0:0]
|
|
:ufw-before-logging-forward - [0:0]
|
|
:ufw-before-logging-input - [0:0]
|
|
:ufw-before-logging-output - [0:0]
|
|
:ufw-before-output - [0:0]
|
|
:ufw-logging-allow - [0:0]
|
|
:ufw-logging-deny - [0:0]
|
|
:ufw-not-local - [0:0]
|
|
:ufw-reject-forward - [0:0]
|
|
:ufw-reject-input - [0:0]
|
|
:ufw-reject-output - [0:0]
|
|
:ufw-skip-to-policy-forward - [0:0]
|
|
:ufw-skip-to-policy-input - [0:0]
|
|
:ufw-skip-to-policy-output - [0:0]
|
|
:ufw-track-forward - [0:0]
|
|
:ufw-track-input - [0:0]
|
|
:ufw-track-output - [0:0]
|
|
:ufw-user-forward - [0:0]
|
|
:ufw-user-input - [0:0]
|
|
:ufw-user-limit - [0:0]
|
|
:ufw-user-limit-accept - [0:0]
|
|
:ufw-user-logging-forward - [0:0]
|
|
:ufw-user-logging-input - [0:0]
|
|
:ufw-user-logging-output - [0:0]
|
|
:ufw-user-output - [0:0]
|
|
-A INPUT -m comment --comment "kubernetes health check service ports" -j KUBE-NODEPORTS
|
|
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
|
|
-A INPUT -j KUBE-FIREWALL
|
|
-A INPUT -j ufw-before-logging-input
|
|
-A INPUT -j ufw-before-input
|
|
-A INPUT -j ufw-after-input
|
|
-A INPUT -j ufw-after-logging-input
|
|
-A INPUT -j ufw-reject-input
|
|
-A INPUT -j ufw-track-input
|
|
-A INPUT -i enp1s0 -p tcp -m multiport --dports 10000:10100 -j ACCEPT
|
|
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
|
|
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
|
|
-A FORWARD -j DOCKER-USER
|
|
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
|
|
-A FORWARD -o br-4983fa2fcfb9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -o br-4983fa2fcfb9 -j DOCKER
|
|
-A FORWARD -i br-4983fa2fcfb9 ! -o br-4983fa2fcfb9 -j ACCEPT
|
|
-A FORWARD -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -j ACCEPT
|
|
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
|
|
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
|
|
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
|
|
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -o docker0 -j DOCKER
|
|
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
|
|
-A FORWARD -i docker0 -o docker0 -j ACCEPT
|
|
-A FORWARD -j ufw-before-logging-forward
|
|
-A FORWARD -j ufw-before-forward
|
|
-A FORWARD -j ufw-after-forward
|
|
-A FORWARD -j ufw-after-logging-forward
|
|
-A FORWARD -j ufw-reject-forward
|
|
-A FORWARD -j ufw-track-forward
|
|
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
|
|
-A OUTPUT -j KUBE-FIREWALL
|
|
-A OUTPUT -j ufw-before-logging-output
|
|
-A OUTPUT -j ufw-before-output
|
|
-A OUTPUT -j ufw-after-output
|
|
-A OUTPUT -j ufw-after-logging-output
|
|
-A OUTPUT -j ufw-reject-output
|
|
-A OUTPUT -j ufw-track-output
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10249 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10248 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10247 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10246 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10245 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10244 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10243 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10242 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10241 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10240 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10239 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10238 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10237 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10236 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10235 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10234 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10233 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10232 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10231 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10230 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10229 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10228 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10227 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10226 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10225 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10224 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10223 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10222 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10221 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10220 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10219 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10218 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10217 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10216 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10215 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10214 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10213 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10212 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10211 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10210 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10209 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10208 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10207 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10206 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10205 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10204 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10203 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10202 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10201 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 10200 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p tcp -m tcp --dport 7659 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p udp -m udp --dport 7659 -j ACCEPT
|
|
-A DOCKER -d 172.18.0.2/32 ! -i br-4983fa2fcfb9 -o br-4983fa2fcfb9 -p tcp -m tcp --dport 7061 -j ACCEPT
|
|
-A DOCKER-ISOLATION-STAGE-1 -i br-4983fa2fcfb9 ! -o br-4983fa2fcfb9 -j DOCKER-ISOLATION-STAGE-2
|
|
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
|
|
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
|
|
-A DOCKER-ISOLATION-STAGE-2 -o br-4983fa2fcfb9 -j DROP
|
|
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
|
|
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
|
|
-A DOCKER-USER -j RETURN
|
|
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
|
|
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
|
|
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
|
|
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
|
|
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
|
|
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
|
|
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
|
|
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
|
|
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
|
|
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
|
|
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
|
|
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
|
|
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
|
|
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
-A ufw-before-forward -j ufw-user-forward
|
|
-A ufw-before-input -i lo -j ACCEPT
|
|
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
|
|
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
|
|
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
|
|
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
|
|
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
|
|
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
|
|
-A ufw-before-input -j ufw-not-local
|
|
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
|
|
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
|
|
-A ufw-before-input -j ufw-user-input
|
|
-A ufw-before-output -o lo -j ACCEPT
|
|
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A ufw-before-output -j ufw-user-output
|
|
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
|
|
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
|
|
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
|
|
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
|
|
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
|
|
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
|
|
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
|
|
-A ufw-not-local -j DROP
|
|
-A ufw-skip-to-policy-forward -j DROP
|
|
-A ufw-skip-to-policy-input -j DROP
|
|
-A ufw-skip-to-policy-output -j ACCEPT
|
|
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
|
|
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 8083 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 8083 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 8080 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 8080 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 8443 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 8443 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 8083 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 4443 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 4443 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 4443 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 5060 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 5060 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 8089 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 8089 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 8089 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 6443 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 6443 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 4000 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 4000 -j ACCEPT
|
|
-A ufw-user-input -p tcp -m tcp --dport 42229 -j ACCEPT
|
|
-A ufw-user-input -p udp -m udp --dport 42229 -j ACCEPT
|
|
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
|
|
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
|
|
-A ufw-user-limit-accept -j ACCEPT
|
|
COMMIT
|
|
# Completed on Wed Nov 22 14:38:03 2023
|
|
# Generated by iptables-save v1.8.7 on Wed Nov 22 14:38:03 2023
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:INPUT ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
:DOCKER - [0:0]
|
|
:KUBE-KUBELET-CANARY - [0:0]
|
|
:KUBE-MARK-DROP - [0:0]
|
|
:KUBE-MARK-MASQ - [0:0]
|
|
:KUBE-NODEPORTS - [0:0]
|
|
:KUBE-POSTROUTING - [0:0]
|
|
:KUBE-PROXY-CANARY - [0:0]
|
|
:KUBE-SEP-2I63D46Z5TKXUT55 - [0:0]
|
|
:KUBE-SEP-4Z3XLHZ4VOBINGVF - [0:0]
|
|
:KUBE-SEP-7PPXA5JT5ALVQPIV - [0:0]
|
|
:KUBE-SEP-CWGKEKETFY7XFR5Q - [0:0]
|
|
:KUBE-SEP-DE64E4JNGUK2FGXF - [0:0]
|
|
:KUBE-SEP-DNHHQ7X6WUNUPOOA - [0:0]
|
|
:KUBE-SEP-DSL7LUEVWMEJDZFH - [0:0]
|
|
:KUBE-SEP-EW4HPRPPWYI7IAGW - [0:0]
|
|
:KUBE-SEP-KJKXYAOCTVTVQIOZ - [0:0]
|
|
:KUBE-SEP-M3BXM2TZN6BQMDOY - [0:0]
|
|
:KUBE-SEP-PV2UI5JCTTCLVIEN - [0:0]
|
|
:KUBE-SEP-S57R3PWTAJ3U7IGR - [0:0]
|
|
:KUBE-SEP-SNPTLXDNVSPZ5ND2 - [0:0]
|
|
:KUBE-SERVICES - [0:0]
|
|
:KUBE-SVC-2FTOYYWAHV6R6EXP - [0:0]
|
|
:KUBE-SVC-3REDA47EVXGO24XN - [0:0]
|
|
:KUBE-SVC-4H7A2MFPHOKLKUN2 - [0:0]
|
|
:KUBE-SVC-4XTDTC2HCUQFMG54 - [0:0]
|
|
:KUBE-SVC-BTYZVAJ4J5U2U6GM - [0:0]
|
|
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
|
|
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
|
|
:KUBE-SVC-KUXVHSHSZUUGBSPN - [0:0]
|
|
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
|
|
:KUBE-SVC-RDOSQGMCHE3E3UDN - [0:0]
|
|
:KUBE-SVC-T2EWXYKLQVICIFAX - [0:0]
|
|
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
|
|
:KUBE-SVC-XSFTT3US6W4LOZ2T - [0:0]
|
|
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
|
|
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
|
|
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
|
|
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
|
|
-A POSTROUTING -s 172.18.0.0/16 ! -o br-4983fa2fcfb9 -j MASQUERADE
|
|
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
|
|
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
|
|
-A POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10249 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10248 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10247 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10246 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10245 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10244 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10243 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10242 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10241 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10240 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10239 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10238 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10237 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10236 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10235 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10234 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10233 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10232 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10231 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10230 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10229 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10228 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10227 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10226 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10225 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10224 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10223 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10222 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10221 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10220 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10219 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10218 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10217 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10216 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10215 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10214 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10213 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10212 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10211 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10210 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10209 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10208 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10207 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10206 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10205 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10204 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10203 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10202 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10201 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 10200 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 7659 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p udp -m udp --dport 7659 -j MASQUERADE
|
|
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 7061 -j MASQUERADE
|
|
-A DOCKER -i br-4983fa2fcfb9 -j RETURN
|
|
-A DOCKER -i docker0 -j RETURN
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10249 -j DNAT --to-destination 172.18.0.2:10249
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10248 -j DNAT --to-destination 172.18.0.2:10248
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10247 -j DNAT --to-destination 172.18.0.2:10247
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10246 -j DNAT --to-destination 172.18.0.2:10246
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10245 -j DNAT --to-destination 172.18.0.2:10245
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10244 -j DNAT --to-destination 172.18.0.2:10244
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10243 -j DNAT --to-destination 172.18.0.2:10243
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10242 -j DNAT --to-destination 172.18.0.2:10242
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10241 -j DNAT --to-destination 172.18.0.2:10241
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10240 -j DNAT --to-destination 172.18.0.2:10240
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10239 -j DNAT --to-destination 172.18.0.2:10239
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10238 -j DNAT --to-destination 172.18.0.2:10238
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10237 -j DNAT --to-destination 172.18.0.2:10237
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10236 -j DNAT --to-destination 172.18.0.2:10236
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10235 -j DNAT --to-destination 172.18.0.2:10235
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10234 -j DNAT --to-destination 172.18.0.2:10234
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10233 -j DNAT --to-destination 172.18.0.2:10233
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10232 -j DNAT --to-destination 172.18.0.2:10232
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10231 -j DNAT --to-destination 172.18.0.2:10231
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10230 -j DNAT --to-destination 172.18.0.2:10230
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10229 -j DNAT --to-destination 172.18.0.2:10229
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10228 -j DNAT --to-destination 172.18.0.2:10228
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10227 -j DNAT --to-destination 172.18.0.2:10227
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10226 -j DNAT --to-destination 172.18.0.2:10226
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10225 -j DNAT --to-destination 172.18.0.2:10225
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10224 -j DNAT --to-destination 172.18.0.2:10224
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10223 -j DNAT --to-destination 172.18.0.2:10223
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10222 -j DNAT --to-destination 172.18.0.2:10222
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10221 -j DNAT --to-destination 172.18.0.2:10221
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10220 -j DNAT --to-destination 172.18.0.2:10220
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10219 -j DNAT --to-destination 172.18.0.2:10219
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10218 -j DNAT --to-destination 172.18.0.2:10218
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10217 -j DNAT --to-destination 172.18.0.2:10217
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10216 -j DNAT --to-destination 172.18.0.2:10216
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10215 -j DNAT --to-destination 172.18.0.2:10215
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10214 -j DNAT --to-destination 172.18.0.2:10214
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10213 -j DNAT --to-destination 172.18.0.2:10213
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10212 -j DNAT --to-destination 172.18.0.2:10212
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10211 -j DNAT --to-destination 172.18.0.2:10211
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10210 -j DNAT --to-destination 172.18.0.2:10210
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10209 -j DNAT --to-destination 172.18.0.2:10209
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10208 -j DNAT --to-destination 172.18.0.2:10208
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10207 -j DNAT --to-destination 172.18.0.2:10207
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10206 -j DNAT --to-destination 172.18.0.2:10206
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10205 -j DNAT --to-destination 172.18.0.2:10205
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10204 -j DNAT --to-destination 172.18.0.2:10204
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10203 -j DNAT --to-destination 172.18.0.2:10203
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10202 -j DNAT --to-destination 172.18.0.2:10202
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10201 -j DNAT --to-destination 172.18.0.2:10201
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 10200 -j DNAT --to-destination 172.18.0.2:10200
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p tcp -m tcp --dport 7659 -j DNAT --to-destination 172.18.0.2:7659
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p udp -m udp --dport 7659 -j DNAT --to-destination 172.18.0.2:7659
|
|
-A DOCKER ! -i br-4983fa2fcfb9 -p tcp -m tcp --dport 7061 -j DNAT --to-destination 172.18.0.2:7061
|
|
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
|
|
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
|
|
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/mongodb-service:27017" -m tcp --dport 31075 -j KUBE-SVC-4H7A2MFPHOKLKUN2
|
|
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/mqtt-mosquitto:mqtt" -m tcp --dport 31788 -j KUBE-SVC-RDOSQGMCHE3E3UDN
|
|
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/fawn-service:http" -m tcp --dport 30004 -j KUBE-SVC-2FTOYYWAHV6R6EXP
|
|
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
|
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
|
|
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully
|
|
-A KUBE-SEP-2I63D46Z5TKXUT55 -s 172.17.0.5/32 -m comment --comment "default/kafka-fox:tcp-client" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-2I63D46Z5TKXUT55 -p tcp -m comment --comment "default/kafka-fox:tcp-client" -m tcp -j DNAT --to-destination 172.17.0.5:9092
|
|
-A KUBE-SEP-4Z3XLHZ4VOBINGVF -s 89.223.87.146/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-4Z3XLHZ4VOBINGVF -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 89.223.87.146:8443
|
|
-A KUBE-SEP-7PPXA5JT5ALVQPIV -s 172.17.0.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-7PPXA5JT5ALVQPIV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 172.17.0.2:53
|
|
-A KUBE-SEP-CWGKEKETFY7XFR5Q -s 172.17.0.11/32 -m comment --comment "default/fawn-service:http" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-CWGKEKETFY7XFR5Q -p tcp -m comment --comment "default/fawn-service:http" -m tcp -j DNAT --to-destination 172.17.0.11:4000
|
|
-A KUBE-SEP-DE64E4JNGUK2FGXF -s 172.17.0.9/32 -m comment --comment "default/redis-replicas:tcp-redis" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-DE64E4JNGUK2FGXF -p tcp -m comment --comment "default/redis-replicas:tcp-redis" -m tcp -j DNAT --to-destination 172.17.0.9:6378
|
|
-A KUBE-SEP-DNHHQ7X6WUNUPOOA -s 172.17.0.6/32 -m comment --comment "default/kafka-fox-zookeeper:tcp-client" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-DNHHQ7X6WUNUPOOA -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-client" -m tcp -j DNAT --to-destination 172.17.0.6:2181
|
|
-A KUBE-SEP-DSL7LUEVWMEJDZFH -s 172.17.0.2/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-DSL7LUEVWMEJDZFH -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 172.17.0.2:9153
|
|
-A KUBE-SEP-EW4HPRPPWYI7IAGW -s 172.17.0.8/32 -m comment --comment "default/redis-master:tcp-redis" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-EW4HPRPPWYI7IAGW -p tcp -m comment --comment "default/redis-master:tcp-redis" -m tcp -j DNAT --to-destination 172.17.0.8:6378
|
|
-A KUBE-SEP-KJKXYAOCTVTVQIOZ -s 172.17.0.6/32 -m comment --comment "default/kafka-fox-zookeeper:tcp-election" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-KJKXYAOCTVTVQIOZ -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-election" -m tcp -j DNAT --to-destination 172.17.0.6:3888
|
|
-A KUBE-SEP-M3BXM2TZN6BQMDOY -s 172.17.0.6/32 -m comment --comment "default/kafka-fox-zookeeper:tcp-follower" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-M3BXM2TZN6BQMDOY -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-follower" -m tcp -j DNAT --to-destination 172.17.0.6:2888
|
|
-A KUBE-SEP-PV2UI5JCTTCLVIEN -s 172.17.0.4/32 -m comment --comment "default/mqtt-mosquitto:mqtt" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-PV2UI5JCTTCLVIEN -p tcp -m comment --comment "default/mqtt-mosquitto:mqtt" -m tcp -j DNAT --to-destination 172.17.0.4:1883
|
|
-A KUBE-SEP-S57R3PWTAJ3U7IGR -s 172.17.0.3/32 -m comment --comment "default/mongodb-service:27017" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-S57R3PWTAJ3U7IGR -p tcp -m comment --comment "default/mongodb-service:27017" -m tcp -j DNAT --to-destination 172.17.0.3:27017
|
|
-A KUBE-SEP-SNPTLXDNVSPZ5ND2 -s 172.17.0.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
|
|
-A KUBE-SEP-SNPTLXDNVSPZ5ND2 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 172.17.0.2:53
|
|
-A KUBE-SERVICES -d 10.99.219.86/32 -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-follower cluster IP" -m tcp --dport 2888 -j KUBE-SVC-3REDA47EVXGO24XN
|
|
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
|
|
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
|
|
-A KUBE-SERVICES -d 10.100.18.72/32 -p tcp -m comment --comment "default/mongodb-service:27017 cluster IP" -m tcp --dport 27017 -j KUBE-SVC-4H7A2MFPHOKLKUN2
|
|
-A KUBE-SERVICES -d 10.111.166.132/32 -p tcp -m comment --comment "default/mqtt-mosquitto:mqtt cluster IP" -m tcp --dport 1883 -j KUBE-SVC-RDOSQGMCHE3E3UDN
|
|
-A KUBE-SERVICES -d 10.110.116.230/32 -p tcp -m comment --comment "default/redis-master:tcp-redis cluster IP" -m tcp --dport 6378 -j KUBE-SVC-T2EWXYKLQVICIFAX
|
|
-A KUBE-SERVICES -d 10.110.54.201/32 -p tcp -m comment --comment "default/kafka-fox:tcp-client cluster IP" -m tcp --dport 9092 -j KUBE-SVC-KUXVHSHSZUUGBSPN
|
|
-A KUBE-SERVICES -d 10.99.219.86/32 -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-client cluster IP" -m tcp --dport 2181 -j KUBE-SVC-XSFTT3US6W4LOZ2T
|
|
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
|
|
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
|
|
-A KUBE-SERVICES -d 10.99.219.86/32 -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-election cluster IP" -m tcp --dport 3888 -j KUBE-SVC-BTYZVAJ4J5U2U6GM
|
|
-A KUBE-SERVICES -d 10.96.135.185/32 -p tcp -m comment --comment "default/redis-replicas:tcp-redis cluster IP" -m tcp --dport 6379 -j KUBE-SVC-4XTDTC2HCUQFMG54
|
|
-A KUBE-SERVICES -d 10.106.235.198/32 -p tcp -m comment --comment "default/fawn-service:http cluster IP" -m tcp --dport 4000 -j KUBE-SVC-2FTOYYWAHV6R6EXP
|
|
-A KUBE-SERVICES -d 192.168.49.2/32 -p tcp -m comment --comment "default/fawn-service:http external IP" -m tcp --dport 4000 -j KUBE-SVC-2FTOYYWAHV6R6EXP
|
|
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
|
-A KUBE-SVC-2FTOYYWAHV6R6EXP ! -s 10.244.0.0/16 -d 10.106.235.198/32 -p tcp -m comment --comment "default/fawn-service:http cluster IP" -m tcp --dport 4000 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-2FTOYYWAHV6R6EXP ! -s 10.244.0.0/16 -d 192.168.49.2/32 -p tcp -m comment --comment "default/fawn-service:http external IP" -m tcp --dport 4000 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-2FTOYYWAHV6R6EXP -p tcp -m comment --comment "default/fawn-service:http" -m tcp --dport 30004 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-2FTOYYWAHV6R6EXP -m comment --comment "default/fawn-service:http" -j KUBE-SEP-CWGKEKETFY7XFR5Q
|
|
-A KUBE-SVC-3REDA47EVXGO24XN ! -s 10.244.0.0/16 -d 10.99.219.86/32 -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-follower cluster IP" -m tcp --dport 2888 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-3REDA47EVXGO24XN -m comment --comment "default/kafka-fox-zookeeper:tcp-follower" -j KUBE-SEP-M3BXM2TZN6BQMDOY
|
|
-A KUBE-SVC-4H7A2MFPHOKLKUN2 ! -s 10.244.0.0/16 -d 10.100.18.72/32 -p tcp -m comment --comment "default/mongodb-service:27017 cluster IP" -m tcp --dport 27017 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-4H7A2MFPHOKLKUN2 -p tcp -m comment --comment "default/mongodb-service:27017" -m tcp --dport 31075 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-4H7A2MFPHOKLKUN2 -m comment --comment "default/mongodb-service:27017" -j KUBE-SEP-S57R3PWTAJ3U7IGR
|
|
-A KUBE-SVC-4XTDTC2HCUQFMG54 ! -s 10.244.0.0/16 -d 10.96.135.185/32 -p tcp -m comment --comment "default/redis-replicas:tcp-redis cluster IP" -m tcp --dport 6379 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-4XTDTC2HCUQFMG54 -m comment --comment "default/redis-replicas:tcp-redis" -j KUBE-SEP-DE64E4JNGUK2FGXF
|
|
-A KUBE-SVC-BTYZVAJ4J5U2U6GM ! -s 10.244.0.0/16 -d 10.99.219.86/32 -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-election cluster IP" -m tcp --dport 3888 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-BTYZVAJ4J5U2U6GM -m comment --comment "default/kafka-fox-zookeeper:tcp-election" -j KUBE-SEP-KJKXYAOCTVTVQIOZ
|
|
-A KUBE-SVC-ERIFXISQEP7F7OF4 ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-7PPXA5JT5ALVQPIV
|
|
-A KUBE-SVC-JD5MR3NA4I4DYORP ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-DSL7LUEVWMEJDZFH
|
|
-A KUBE-SVC-KUXVHSHSZUUGBSPN ! -s 10.244.0.0/16 -d 10.110.54.201/32 -p tcp -m comment --comment "default/kafka-fox:tcp-client cluster IP" -m tcp --dport 9092 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-KUXVHSHSZUUGBSPN -m comment --comment "default/kafka-fox:tcp-client" -j KUBE-SEP-2I63D46Z5TKXUT55
|
|
-A KUBE-SVC-NPX46M4PTMTKRN6Y ! -s 10.244.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-4Z3XLHZ4VOBINGVF
|
|
-A KUBE-SVC-RDOSQGMCHE3E3UDN ! -s 10.244.0.0/16 -d 10.111.166.132/32 -p tcp -m comment --comment "default/mqtt-mosquitto:mqtt cluster IP" -m tcp --dport 1883 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-RDOSQGMCHE3E3UDN -p tcp -m comment --comment "default/mqtt-mosquitto:mqtt" -m tcp --dport 31788 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-RDOSQGMCHE3E3UDN -m comment --comment "default/mqtt-mosquitto:mqtt" -j KUBE-SEP-PV2UI5JCTTCLVIEN
|
|
-A KUBE-SVC-T2EWXYKLQVICIFAX ! -s 10.244.0.0/16 -d 10.110.116.230/32 -p tcp -m comment --comment "default/redis-master:tcp-redis cluster IP" -m tcp --dport 6378 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-T2EWXYKLQVICIFAX -m comment --comment "default/redis-master:tcp-redis" -j KUBE-SEP-EW4HPRPPWYI7IAGW
|
|
-A KUBE-SVC-TCOU7JCQXEZGVUNU ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SNPTLXDNVSPZ5ND2
|
|
-A KUBE-SVC-XSFTT3US6W4LOZ2T ! -s 10.244.0.0/16 -d 10.99.219.86/32 -p tcp -m comment --comment "default/kafka-fox-zookeeper:tcp-client cluster IP" -m tcp --dport 2181 -j KUBE-MARK-MASQ
|
|
-A KUBE-SVC-XSFTT3US6W4LOZ2T -m comment --comment "default/kafka-fox-zookeeper:tcp-client" -j KUBE-SEP-DNHHQ7X6WUNUPOOA
|
|
COMMIT
|
|
# Completed on Wed Nov 22 14:38:03 2023
|